Device Data Systems: What the New Rules Leave Out

FDA released its ruling for medical device data systems (MDDS) in February. Devices under that category have officially been reclassified from Class III to Class I devices.

This is good news for companies whose products were already being evaluated by FDA as MDDS—it eases their regulatory burden. For other companies, the rules present some complications.

“It’s a bit of a shell game because FDA has said that it would exercise enforcement discretion not to regulate such software,” explains Greg Levine, cochair of the life sciences group at the law firm Ropes & Gray LLP. Under the law, he says, any previously unclassified medical device is, by default, a Class III device subject to stringent FDA regulation, including premarket approval. But with regard to software, FDA’s practice of discretionary enforcement has essentially resulted in FDA leaving alone most companies in this sector. So FDA saying that these products always were Class III devices and are now down-classifed into Class I, is something of a misdirection. “FDA says this is a deregulatory step, but that’s true only in the most technical legal sense,” Levine says.

Most MDDS vendors have not established FDA-compliant systems. “The changes FDA made to its proposed MDDS rule simultaneously enlarge the MDDS category to capture more software that we might have assumed would be unregulated, but also enlarged the MDDS category to capture software that might otherwise have been placed in class II or III,” wrote Brad Thompson, a partner with Epstein Becker and Green.

FDA defines MDDS as “a device that is intended to transfer, store, convert from one format to another according to preset specifications, or display medical device data.” It can include software, electronic or electrical hardware, modems, interfaces, and communications protocol. The definition does not include devices that control or alter the functions of any connected medical devices or that are intended to be used in connection with active patient monitoring.

Companies that have not been subject to FDA enforcement, but that produce MDDS, should be prepared to face new regulatory challenges, such as FDA registration and inspection, quality system regulations, and medical device reporting. Levine says that initial compliance will be more difficult for small companies than for large firms. “There are a significant number of smaller vendors whose products will fall within this definition. Relatively speaking, these companies are probably less prepared than larger companies are likely to be.”

FDA’s action also may complicate the regulatory landscape for manufacturers of software that falls outside the narrow MDDS definition. In the preamble to the rule, FDA says that devices such as clinical decision support tools and software used for active patient monitoring and electronic health records are not MDDS. But Levine warns that FDA has withdrawn its guidance describing the agency’s generally lenient approach to such software. “If one were to take FDA at its literal word, you would have to assume that unless FDA declares otherwise, your previously unclassified product is considered a Class III device,” he says. “This will create a challenge for companies whose health IT products fall outside the MDDS definition. We need FDA to explain whether it plans to exercise enforcement discretion for at least some of these non-MDDS products.”

All told, the changes raise more questions than they answer. Manufacturers that supply MDDS should be prepared to adopt robust regulatory systems if they haven’t already. Companies that produce software outside the definition of MDDS should also prepare, although for what exactly is unclear. As Thompson said, “FDA has published just one piece of a puzzle, only the rabbit’s nose, and we have to use our imagination . . . to see the rest of the rabbit.”